2011-12-05 19:11:12 |
Serge Hallyn |
description |
The hooks documented in http://www.libvirt.org/hooks.html cannot be executed, there are no mention of them in apparmor profile.
For example, "daemon" hook produces this message in the log:
Nov 17 06:54:06 nexus kernel: [ 8914.624912] type=1400 audit(1321498446.082:65): apparmor="DENIED" operation="exec" parent=4756 profile="/usr/sbin/libvirtd" name="/etc/libvirt/hooks/daemon" pid=4757 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Description: Ubuntu 11.10
Release: 11.10
libvirt-bin:
Installed: 0.9.2-4ubuntu15.1
Candidate: 0.9.2-4ubuntu15.1
Version table:
*** 0.9.2-4ubuntu15.1 0
500 http://xx.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
100 /var/lib/dpkg/status
0.9.2-4ubuntu15 0
500 http://xx.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages |
==============================================================
SRU Justification:
1. Impact: libvirt hooks cannot be used
2. Development fix: add apparmor rule to allow use of libvirt hooks
3. Stable fix: same as development fix
4. Test case:
a. install libvirt
b. create /etc/libvirt/hooks/daemon containing:
#!/bin/sh << EOF
date >> /tmp/libvirt-hook-debug
EOF
c. stop libvirt-bin; start libvirt-bin
d. check whether /tmp/libvirt-hook-debug exists
5. Regression potential: if the profile has a syntax error, it could cause problems loading the profile, or lead to too much or insufficient privilege for libvirt to run.
==============================================================
The hooks documented in http://www.libvirt.org/hooks.html cannot be executed, there are no mention of them in apparmor profile.
For example, "daemon" hook produces this message in the log:
Nov 17 06:54:06 nexus kernel: [ 8914.624912] type=1400 audit(1321498446.082:65): apparmor="DENIED" operation="exec" parent=4756 profile="/usr/sbin/libvirtd" name="/etc/libvirt/hooks/daemon" pid=4757 comm="libvirtd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
Description: Ubuntu 11.10
Release: 11.10
libvirt-bin:
Installed: 0.9.2-4ubuntu15.1
Candidate: 0.9.2-4ubuntu15.1
Version table:
*** 0.9.2-4ubuntu15.1 0
500 http://xx.archive.ubuntu.com/ubuntu/ oneiric-updates/main amd64 Packages
100 /var/lib/dpkg/status
0.9.2-4ubuntu15 0
500 http://xx.archive.ubuntu.com/ubuntu/ oneiric/main amd64 Packages |
|